Spectral  Domain  RF  Fingerprinting 
for  802.11  Wireless  Devices 

THESIS 

Sheldon  A.  Munns,  Captain,  USAF 
AFIT/GE/ENG/10-19 


DEPARTMENT  OF  THE  AIR  FORCE 
AIR  UNIVERSITY 

AIR  FORCE  INSTITUTE  OF  TECHNOLOGY 


Wright- Patterson  Air  Force  Base,  Ohio 


APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED. 


The  views  expressed  in  this  thesis  are  those  of  the  author  and  do  not  reflect  the 
official  policy  or  position  of  the  United  States  Air  Force,  Department  of  Defense,  or 
the  United  States  Government. 


AFIT/GE/ENG/10-19 


Spectral  Domain  RE  Fingerprinting 
for  802.11  Wireless  Devices 

THESIS 


Presented  to  the  Faculty 

Department  of  Electrical  and  Gomputer  Engineering 
Graduate  School  of  Engineering  and  Management 
Air  Force  Institute  of  Technology 
Air  University 

Air  Education  and  Training  Gommand 
in  Partial  Fulhllment  of  the  Requirements  for  the 
Degree  of  Master  of  Science  in  Electrical  Engineering 

Sheldon  A.  Munns,  BSEE 
Gaptain,  USAF 

March  2010 


APPROVED  FOR  PUBLIG  RELEASE;  DISTRIBUTION  UNLIMITED. 


AFIT/GE/ENG/10-19 


Spectral  Domain  RE  Fingerprinting 
for  802.11  Wireless  Devices 


Sheldon  A.  Munns,  BSEE 
Gaptain,  USAF 


Approved: 


/ /signed/ / 


Michael  A.  Temple,  PhD  (Ghairman) 


March  17,  2010 


Date 


//signed//  March  17,  2010 

Steven  G.  Gustafson,  PhD  (Member)  Date 

//signed//  March  17,  2010 


Maj.  Michael  J.  Mendenhall,  PhD 
(Member) 


Date 


AFIT/GE/ENG/10-19 


Abstract 

The  increase  in  availability  and  reduction  in  cost  of  commercial  communication  de¬ 
vices  (e.g.  IEEE  compliant  such  as  802.11,  WiFi,  802.16,  Blutooth  etc.)  has  increased 
wireless  user  exposure  and  the  need  for  techniques  to  properly  identify/classify  signals 
for  increased  security  measures.  Gommunication  device  emissions  include  intentional 
modulation  that  enables  correct  device  operation.  Hardware  and  environmental  fac¬ 
tors  alter  the  ideal  response  and  induce  unintentional  modulation  effects.  If  these 
effects  (features)  are  sufficiently  unique,  it  becomes  possible  to  identify  a  device  us¬ 
ing  its  fingerprint,  with  potential  discrimination  of  not  only  the  manufacturer  but 
possibly  the  serial  number  for  a  given  manufacturer. 

Many  techniques  in  many  domains  have  been  investigated  to  extract  features, 
identify  a  fingerprint,  classify  signals,  and  each  technique  has  certain  benefits  and 
limitations.  Previous  AFIT  research  has  demonstrated  the  effectiveness  of  RF  Fin¬ 
gerprinting  using  802. IIA  signals  with  1)  spectral  correlation  on  Power  Spectral 
Density  (PSD)  fingerprints,  2)  Multiple  Discriminant  Analysis/Maximum  Likelihood 
(MDA/ML)  classification  with  fingerprints  obtained  from  Time  Domain  (TD)  and 
Wavelet  Domain  (WD)  statistical  features.  Performance  “gain” ,  defined  as  the  differ¬ 
ence  in  Signal-to-Noise  ratio  (SNR)  required  to  achieve  comparable  classification  per¬ 
formance,  has  been  used  to  demonstrate  considerable  improvement.  Spectral  Domain 
(SD)  fingerprinting  uses  PSD  features  for  device  discrimination.  Results  presented 
here  show  some  improvement  over  the  WD  approach  (gain  3  dB)  and  significant 
improvement  over  the  TD  approach  (gain  8  dB). 
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Spectral  Domain  RF  Fingerprinting 
for  802.11  Wireless  Devices 

I.  Introduction 


1.1  Motivation 

The  increase  in  availability  and  reduction  in  cost  of  commercial  communication 
devices  (e.g.  IEEE  compliant  such  as  802.11,  WiFi,  802.16,  Blutooth  etc.)  has 
increased  wireless  user  exposure  and  the  need  for  techniques  to  properly  identify/- 
classify  signals  for  increased  security.  Communication  device  emissions  include  inten¬ 
tional  modulation  that  enables  correct  device  operation.  This  intentional  modulation 
may  be  remotely  intercepted,  where  the  interceptor  may  be  passive  (listen,  monitor, 
record,  analyze,  etc.)  or  become  active  such  as  “spoohng”  or  even  inject  traffic  into 
the  system. 

A  great  deal  of  research  has  focused  on  traditional  bit-level  algorithmic  approaches 
to  mitigate  spoofing  and  improve  network  security  [8].  More  recent  research  has 
been  accomplished  to  detect  and  mitigate  spoofing  within  or  near  the  lower  levels 
of  the  Open  System  Interconnection  (OSI)  architecture.  One  work  suggests  using 
a  “lightweight  security  layer”  within  the  Medium  Access  Control  (MAC)  layer  for 
anomalous  traffic  and  spoofing  detection  [8]. 

The  goal  of  other  recent  work  tries  to  exploit  Radio  Frequency  (RF)  characteristics 
at  the  Physical  (PHY)  layer  that  are  difficult  to  mimic,  thus  minimizing  spoofing 
opportunities  [13].  The  fundamental  research  goal  in  [15,  16,  17]  involved  developing 
RF  hngerprinting  techniques  to  obtain  a  Specific  Emitter  Identihcation  (SEI)  similar 
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to  that  used  to  distinguish  radar  emitters  [9]. 

Spanning  nearly  twenty  years,  radar  SEI  uses  parameters  based  on  intentional 
modulation  applied  within  a  given  pulse  (intra-pulse  modulation)  or  applied  across 
multiple  pulses  (inter-pulse  modulation).  Hardware  and  environmental  factors  such 
as  poor  system  design,  improper  operation,  and  physical  device  limitation  alter  the 
ideal  signal  response  and  induce  unintentional  modulation  effects.  At  the  waveform 
level,  these  unintentional  modulation  effects  are  similar  to  what  occur  in  existing 
wireless  communication  systems  that  transmit  burst-like  waveforms  representing  dig¬ 
ital  information  such  as  symbols,  bits,  or  packets.  If  the  unintentional  modulation 
effects  (features)  are  sufficiently  unique  it  becomes  possible  to  identify  a  given  device 
using  its  fingerprint,  with  potential  discrimination  of  not  only  the  manufacturer  but 
also  serial  number  for  a  given  manufacturer. 

1.2  Problem  Statement 

The  RF  fingerprinting  process  is  separated  into  four  phases,  including:  1)  burst 
detection,  2)  signal  region  of  interest  selection  and  feature  extraction,  3)  fingerprint 
generation,  and  4)  fingerprint  classification  of  unknown  received  signals.  These  phases 
are  the  basis  for  many  fingerprinting  techniques,  with  each  focusing  on  different  signal 
features  in  different  domains:  Wavelet  Domain  (WD),  Time  Domain  (TD)  and/or 
Spectral  Domain  (SD). 

Many  techniques  in  many  domains  have  been  investigated  to  extract  features, 
identify  a  fingerprint,  classify  signals,  and  each  has  certain  benefits  and  limitations. 
This  research  uses  the  TD  and  WD  process  developed  in  previous  research  to  cor¬ 
rectly  classify  emissions  from  Orthogonal  Frequency  Division  Multiplexing  (OFDM) 
802. IIA  signals  using  SD  features.  The  process  is  then  applied  to  a  Direct  Sequence 
Spread  Spectrum  (DSSS)  802. IIB  signal. 
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1.3  Related  Research 


This  research  builds  on  accomplishments  from  three  previous  works  [1,  5,  15]. 
The  work  in  [15]  focused  on  detection  and  identihcation  of  GMRS/FRS  press-to-talk 
radios  and  802. IIA  network  device  RF  transmission.  The  features  included  instan¬ 
taneous  amplitude,  instantaneous  phase,  and  instantaneous  frequency.  These  were 
used  to  calculate  statistics  for  feature  characterization  to  identify  unique  fingerprints. 
Two  methods  of  classihcation  were  used  for  802. IIA  devices:  spectral-based  corre¬ 
lation  which  produced  classihcation  accuracies  up  to  74%  for  SNR  =  -3  to  6  dB  , 
and  Multiple  Discriminant  Analysis/ Maximum  Likelihood  (MDA/ML)-based  classi¬ 
hcation  which  produced  classihcation  accuracies  of  74%  to  90%  for  the  same  values 
of  SNRs. 

The  work  in  [5]  explored  burst  detection  techniques  to  identify  the  feasibility  and 
repeatability  of  detecting  and  locating  the  start  of  a  waveform  burst.  Two  techniques 
were  utilized:  Fractal  Baysian  Step  Change  Detector  (Fractal-BSCD)  and  Traditional 
Variance  Trajectory  (VT).  A  newly  developed  WD  hngerprinting  technique  provided 
improved  performance  over  previous  TD  techniques  [15,  16,  17],  with  2-7  dB  of  gain 
improvement  realized  at  80%  classihcation. 

The  work  in  [1]  proposed  a  new  transient-based  identihcation  method  for  DSSS 
802.15  CC2420  wireless  sensor  nodes  and  explored  various  transformation  methods 
for  input  data  into  a  Linear  Discriminant  Analysis  (LDA)  feature  extractor.  The 
transformation  that  yielded  the  highest  recognition  accuracy  was  based  on  the  relative 
diherence  between  adjacent  Fast  Fourier  Transform  (FFT)  spectra.  The  so  called 
Prop  method  produced  recognition  results  with  an  Equal  Error  Rate  (EER)  as  low 
as  0.24%. 

As  described  in  greater  detail  throughout  this  document,  this  research  focuses  on 
SD  hngerprinting  using  Power  Spectral  Density  (PSD)  hngerprinting  features  gener- 
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ated  from  common  statistics  (variance,  skewness,  and  kurtosis)  to  formulate  unique 
fingerprints  for  signal  classification. 

1.4  Resources 

AFIT  provided  a  number  of  tools  used  throughout  this  research.  All  signal  data 
were  collected  using  the  Agilent®-based  RF  Signal  Intercept  and  Collection  Sys¬ 
tem  (RFSICS).  The  RFSICS  consists  of  the  following  pieces  of  equipment:  Agilent® 
E3238s  system  hardware  and  an  HP  Compaq  nc8430  laptop  computer  equipped  with 
the  Agilent®  E3238s  and  Vector  Signal  Analyzer  (VSA)  software  tools.  Two  Dell 
laptops  were  used  and  equipped  with  802.11  wireless  cards  specified  in  Table  1.1.  All 
post-processing  was  accomplished  using  MATLAB®  version  7.7.0  (R2008b). 

Table  1.1.  Device  manufacturer,  serial  uumber,  aud  sigual  type  (802. IIA  aud  802. IIB) 
used  for  geueratiug  Chapter  4  results. 


Mann 

Serial  Number  /  Signal  Type 

Cisco 

N4U9  /  A&B 

N4UD  /  A&B 

N4UW  /  A&B 

N4PX  /  A&B 

Linksys 

0306  /  B 

0307  /  B 

361  /  B 

Net  gear 

0209  /  B 

0217  /  B 

273  /  B 

1.5  Thesis  Organization 

Chapter  II  provides  background  information  on  RF  DNA  fingerprinting,  Fisher 
Linear  Discriminant  (FLD),  Spectral  Correlation,  Baysian  Decision  Theory,  and  MDA/ML 
classification.  Chapter  III  describes  the  research  methodology  and  overall  process  for 
signal  collection,  post-collection  processing,  digital  hltering,  region  of  interest  selec¬ 
tion,  SD  signal  transformation  and  fingerprint  feature  generation  for  MDA/ML  classi¬ 
fication.  Chapter  IV  presents  results  obtained  from  the  process  discussed  in  Chapter 
III  for  the  signals  of  interest.  Chapter  V  provides  conclusions  based  on  results  in 
Chapter  IV  and  suggest  areas  for  further  investigation  and  research.  Appendix  A 
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provides  a  detailed  process  for  RFSICS  signal  collection  as  nsed  to  obtain  all  data  for 
this  research. 
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II.  Background 


2.1  Overview 

The  material  presented  in  this  chapter  lays  the  ground  work  for  the  methodology 
described  in  Chapter  III  along  with  the  results  presented  in  Chapter  IV.  Section  2.2 
provides  an  introduction  to  RF  fingerprinting.  Section  2.3  discusses  Power  Spectral 
Density  (PSD)-based  fingerprinting,  Section  2.4  discusses  Bayes  Decision  Theory  ap¬ 
plied  to  classihcation,  Section  2.5  discusses  the  feature  statistics  used  to  create  the 
statistical  hngerprints  used  for  classihcation,  and  Section  2.6  provides  insight  into 
the  Multiple  Discriminant  Analysis/ Maximum  Likelihood  (MDA/ML)  classihcation 
method  used  for  generating  classihcation  results  described  in  Chapter  IV. 

2.2  RF  Fingerprinting 

RF  Distinct  Native  Attribute  (DNA)  hngerprinting  is  the  process  used  to  iden¬ 
tify  and  classify  unique  radio  transmission  characteristics  from  a  device  of  interest. 
RF  hngerprint  classihcation  embodies  four  phases  which  include:  burst  detection, 
waveform  feature  generation  (amplitude,  phase,  frequency,  PSD),  hngerprint  extrac¬ 
tion,  and  device  classihcation.  Feature  extraction  determines  which  domain  (time, 
frequency,  or  spectral)  yields  specihc  signal  information  (features).  Transient  start 
detection  is  needed  to  determine  where  the  signal  starts  for  Region  of  Interest  (ROI) 
selection. 

Once  the  feature  and  ROI  have  been  selected,  statistics  (mean,  variance,  skewness, 
kurtosis)  can  be  calculated  and  extracted  to  determine  the  unique  signal  hngerprint. 
Fingerprint  classihcation  determines  how  well  the  hngerprint  of  one  device  can  be 
identihed  or  diherentiated  from  another  device. 
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2.3  PSD-based  Fingerprinting 


The  PSD  describes  the  distribution  of  signal  power  in  the  frequency  domain  [14], 
which  is  important  because  it  identihes  the  frequency  components  having  strong  or 
weak  variation.  Since  frequency  is  derived  from  a  transformation  of  time  responses, 
frequency  domain  variation  provides  alternative  time  domain  processing.  Previous 
work  [15,  16,  17]  used  PSD  fingerprints  along  with  spectral  correlation  for  device 
classification.  The  process  involved  generating  reference  PSD  hngerprints 
for  each  class  m  G  M: 


N'j' 


(1) 


Z=1 


where  is  the  number  of  collected  training  signals  and  ^i{k)  is  the  un-normalized 
PSD  sequence  of  the  zth  collection  from  class  m  [15].  To  eliminate  any  power  bias 
present  from  the  signal  collection  process,  each  reference  PSD  hngerprint  is  normalized 
to  unit  power. 

Classification  was  accomplished  by  cross-correlating  each  PSD  with  the  average 
reference  hngerprint  from  each  class  [15,  16,  17].  At  a  Signal-to-Noise  Ratio  (SNR) 
approaching  6  dB,  classihcation  accuracies  of  74%  were  achieved  using  this  PSD-based 
spectral-correlation  classihcation  process  [15,  16,  17]. 

Additional  spectral-based  work  in  [1]  used  FFT-based  Fisher-features  to  hnger¬ 
print  802.15.4  CC2420  DSSS  devices.  Several  transformation  variants  were  investi¬ 
gated  for  recognition,  and  the  so-called  Prop  method  (diherence  between  adjacent 
FFT  spectra)  yielded  the  highest  recognition  accuracy. 

The  feature  extraction  process  in  [1]  involved  extracting  the  transient  part  of  the 
signal,  where  the  amplitude  of  the  signal  I  at  time  t  is  f{t,  /).  Once  the  transient  part 


7 


of  the  signal  was  extracted,  a  one-dimensional  Fonrier  transform  was  calcnlated: 


1)  =  ^  f{t,  l)exp{-27ri^-^),  (2) 

''  m=0 

where  0  <  f  <  M  —  1  and  M  is  the  nnmber  of  samples  in  the  transient  part  of  the 
signal.  For  the  Prop  method,  the  relative  difference  between  adjacent  FFT  spectra 
in  (2)  was  calculated  using 

H  =  [|f(2,0|  -  |F(l,i)l.imi)l  -  |F(2,0I.'  ■  -.inf  -  l,i)l  -  |F(f  -2,01]  (3) 

with  the  DC  component  and  the  redundant  half  of  the  spectrum  removed  [1].  The 
Fisher-feature  is  a  projection  vector  ^  extracted  from  the  Fourier  spectrum  using 
the  LDA  matrix  W^,  where 

ti  =  (4) 

The  Fisher- feature  G  for  a  given  device  of  N  captured  signals  is  an  array  of  gi  elements 
from  (4)  defined  as 

G  =  WiS,  (5) 

where  F  is  a  matrix  such  that  S  =  [so--Si--Sv]  (4).  Finally,  a  feature  template  h  is 
used  for  recognition  calculated  from  the  mean  vector  and  covariance  matrix  of  G. 
Using  this  process  [1]  reported  results  of  EER  0.24%,  meaning  that  the  recognition 
system  correctly  identifies  a  sensor  node  with  99.5%  accuracy. 

2.4  Bayesian  Decision  Theory 

The  classification  method  of  Bayesian  decision  theory  [2]  takes  d-dimensional  data 
belonging  to  one  of  c  classes  of  data  based  on  probability  densities,  prior  probabilities, 
and  any  costs  associated  with  making  a  classification  decision  [2].  Decision  boundaries 


are  defined  within  the  feature  space  that  reduce  the  probability  of  misclassification 
of  the  input  data  from  the  c  classes  of  data.  The  Gaussian  density  function  is  used 
as  the  probability  model  for  Bayesian  classification  given  by 


p{y) 


(6) 


where  a  is  the  standard  deviation  and  /i  is  the  mean. 

To  minimize  probability  of  misclassihcation,  decision  boundaries  are  formed  using 
(6)  as  the  distribution  model  for  the  vectors  in  the  feature  space.  According  to  Bayes’ 
rule,  the  posterior  probability  P{ujj\y)  is  given  by  a  set  of  c  total  classes, {a;i,  ...,a;c}, 
and  a  d-dimensional  feature  vector  y  yield  the  equation 


Pi^j\y) 


p{y\ujjP{uj) 

p{y) 


(7) 


where  class  Uj  contain  the  feature  vector,  and 

C 

piy)  = 

i=i 

contains  the  conditional  probability  p{y\ujj)  and  prior  probability  P{oJj)-  A  decision 
rule  is  a  goal  that  lessens  the  risk  associated  with  making  a  decision.  Assuming  that 
action  is  taken  based  on  the  occurrence  of  of  y  from  ujj,  the  conditional  risk  is 

C 

7?(ai|y)  =  X]  \ijP{ujj)'ii  =  1, ...,  a,  (9) 

where  a  is  the  number  of  possible  action  and  the  cost  of  choosing  a;,  when  ojj  occurred 
is  \ij.  The  Bayes  decision  rule  chooses  the  ujj  that  minimizes  R{ai\y)  for  all  actions 
a.  To  minimize  the  probability  of  misclassification  and  divide  the  feature  space  into 
c  regions,  y  is  assigned  to  the  class  with  the  minimum  R{ai\y),  thus  reducing  the 
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decision  rule  to  [2] 


(Ajfc  -  Xkk)p{y\uJk)P{uJk)  ^2  ~  Aii)p(yki)^K),Vj  ^  k.  (10) 


Assuming  uniform  costs  and  equal  prior  probabilities,  {P{ojj)  =  P{uJk),'^j  7^  k),  (10) 
the  result  is 

p(ykfc)  ^  (11) 

A  point  belonging  to  ujj  assigned  to  uik  registers  as  a  misclassification.  The  total 
probability  of  making  a  classification  error  is 


Pe  =  =  P  [Classify  as  a;j|a;fc  is  true] .  (12) 

j,k 


The  univariate  Gaussian  distribution  presented  in  (6)  is  insufficient  for  multi-class 
analysis.  The  multivariate  model  used  for  two  classes  in  d-dimensions  given  by 


p{y) 


(2vr)5|^ 


—exp 


1 

2 


-1 

(y  -  m)‘ 


(13) 


where  p  is  the  d-component  mean  vector,  y  is  a  d-component  column  vector,  and 
is  the  d  X  d  covariance  matrix 


^  =  B  [(y  -  f.)‘(y  -  a)]  .  (14) 

Here  the  E[-]  notation  represents  the  statistical  expected  value  or  sample  mean.  Fig¬ 
ure  2.1  shows  projected  probability  densities  of  the  multivariate  Gaussian  model  for 
a  c  =  3  class  problem  with  d  =  2  dimensional  feature  space.  As  shown  projected 
onto  the  lower  plane,  the  decision  boundaries  are  used  to  calculate  the  total  analytic 
probability  of  classification  error. 
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Figure  2.1.  Example  of  the  Multivariate  Gaussian  Model  for  a  c=3  class  problem  and 
a  d—2  dimensional  feature  space,  where  decision  boundaries  are  shown  projected  onto 
lower  plane. 

2.5  Feature  Statistics 

Using  the  entire  signal  characteristic  (feature)  for  the  hngerprint,  as  described  in 
Section  2.3,  may  be  unrealistic  if  computational  processing  time  or  data  storage  is 
limited.  Previous  work  [5,  6,  7,  11,  12,  15,  16,  17]  made  use  of  statistical  behavior 
inherent  in  signal  characteristics  to  reduce  the  dimensionality  of  the  hngerprints.  To 
coincide  with  previous  work  in  [5,  6,  7],  the  statistics  of  variance  (cr^),  skewness  (7), 
and  kurtosis  (k)  are  used  here  to  create  statistical  hngerprints  for  classihcation.  These 
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statistics  are  obtained  as  follows: 


—  ^  [x{k)  -  xf  , 

^  k=l 


(15) 


(16) 


lx 


3/2  ’ 


2  ’ 


(17) 


where  x  is  the  sample  mean  of  an  arbitrary  seqnence  {x(k)}  and  k  =  1,  2, N^-  The 
hnal  RF  statistical  hngerprints  were  obtained  in  previons  work  [5,  6,  7,  11,  12,  15,  16, 
17]  by  calcnlating  these  statistics  from  varions  signal  characteristics  (instantaneons 
amplitnde,  instantaneons  phase,  and  or  instantaneons  freqnency).  For  work  presented 
here,  the  PSD  statistics  are  nsed  to  form  spectral-based  hngerprints. 

2.6  MDA/ML  Classification 

While  there  are  many  methods  for  classihcation,  they  all  fnndamentally  involve 
nsing  a  snbset  of  the  inpnt  data  to  train  the  classiher  and  the  remaining  data  for 
classihcation  itself.  Attempting  to  classify  higher- dimensional  data  becomes  difhcnlt 
withont  the  nse  of  the  Fisher  Linear  Discriminant  (FLD),  which  projects  higher¬ 
dimensional  inpnt  data  into  a  lower  dimensional  space  while  prodncing  maximnm 
separation  between  the  classes  [2]. 

Althongh  FLD  can  be  applied  to  any  nnmber  of  inpnts,  MDA/ML  is  an  extension 
of  FLD  for  three  classes  of  inpnt  data  [2,  3].  Discriminating  between  c  classes  of 
inpnt  data  containing  d-dimensions,  linearly  projecting  the  inpnt  vector  x  onto  a 
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(c?-l)-dimensional  space  can  be  obtained  tlirongh 


y  =  w^x  ,  (18) 

where  the  vector  of  projected  valnes  y  corresponds  to  the  inpnt  vector  x  and  the 
transformation  matrix  W  has  dimensionality  d  x  (c  -  1)  [2],  Classihcation  is  accom¬ 
plished  using  ML  distributions  to  calculate  2-dimensional  decision  boundaries  used 
on  unknown  input  data.  Figure  2.2  pictorially  represents  the  MDA/ML  training 
and  classihcation  process,  where  the  decision  boundaries  are  calculated  from  the  ML 
distributions  (top)  and  the  projected  data  is  used  for  classihcation  (bottom). 
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Figure  2.2.  MDA/ML  Training  (top)  and  Classification  (bottom)  [5]. 
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III.  Methodology 


3.1  Overview 

This  chapter  describes  signal  detection  and  classihcation  process  used  for  this  re¬ 
search.  The  process  here  is  consistent  with  previous  work  [5,  6,  7]  and  is  illustrated  in 
Figure  3.1  [5,  6,  7].  Section  3.2  provides  details  for  the  Signal  Collection  process  using 
AFIT’s  RF  Signal  Intercept  and  Collection  System  (RFSICS).  Section  3.3  describes 
post-processing  collection  procedures,  which  include  down-conversion,  hltering,  burst 
sorting,  and  analysis  signal  generation.  Section  3.4  describes  the  process  for  RF 
statistical  hngerprint  generation,  which  includes  PSD  calculation,  region  of  interest 
selection,  and  statistical  feature  calculation.  Section  3.5  discusses  the  MDA/ML  sig¬ 
nal  classification  process  which  was  used  to  generate  all  classification  results  presented 
in  Chapter  4. 


Figure  3.1.  Process  used  for  signal  collection,  detection,  analysis  signal  generation,  and 
classification  of  802.11  signals  [5,  6,  7]. 
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3.2  Signal  Collection 


All  data  used  for  this  research  was  collected  in  accordance  with  the  RFSICS 
collection  process  outlined  in  Appendix  A.  Prior  to  making  collections,  two  separate 
laptops  were  configured  as  a  peer-to-peer  network  using  802.11  wireless  cards.  The 
cards  were  powered  up,  set  to  the  appropriate  operating  mode  (802. IIA  or  802. IIB), 
and  information  is  transferred  from  one  to  the  other  while  the  RFSICS  is  operating 
in  collection  mode. 

The  signal-of-interest  (SOI)  center  frequency  is  located  using  a  wide  band  search 
spanning  20.0  MHz  and  6.0  GHz.  After  the  SOI  is  located,  the  36  MHz  RFSICS  front- 
end  hlter  is  tuned  and  centered  on  the  dominant  spectral  response.  To  maximize  the 
collected  signal-to-noise  ratio  (SNR)  and  to  reduce  amplitude  clipping,  the  RFSICS 
Analog-to-digital  (ADC)  dynamic  range  is  set  manually.  The  signal  is  then  down- 
converted  by  the  RFSICS,  sampled  by  a  12-bit  ADC,  and  stored  as  complex  I-Q 
data. 

The  data  is  stored  using  an  Agilent®  proprietary  “capture”  (*.cap)  format  and 
subsequently  converted  to  a  MATLAB®  (*.mat)  format  for  post-collection  process¬ 
ing.  This  research  only  used  the  real  component  of  collected  signals.  Representative 
collected  burst  responses  from  802.11A/B  devices  are  shown  in  Figure  3.2. 
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Figure  3.2.  Representative  magnitude  responses  for  bursts  collected  from  802. IIA 
(top)  and  802. IIB  (bottom)  devices. 
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3.3  Post-Collection  Processing 


The  MATLAB®  (*.mat)  formatted  data  is  a  vector  of  sampled  data  for  each 
burst.  Pulse  detection  and  sorting  makes  it  possible  for  each  burst  to  be  examined 
separately.  Each  burst  is  extracted  and  stacked  separately  into  one  row  of  a  given 
matrix  for  easy  access  and  examination.  Each  collected  burst  response  is  baseband 
hltered  using  a  6th  order  Butterworth  filter  having  a  baseband  bandwidth  of  BW  = 
7.7  MHz.  Previous  work  [5,  6,  7]  showed  that  BW  =  7.7  MHz  provides  maximum 
classification  performance  when  using  the  802. IIA  preamble  as  the  region  of  interest 
(ROI).  After  hltering,  the  preamble  region  is  extracted  and  stored  in  a  new  matrix 
for  subsequent  fingerprint  generation. 

3.3.1  Pulse  Detection  and  Sorting. 

Collections  of  802.11  data  are  initially  in  vector  form,  where  each  burst  is  extracted 
and  placed  into  row  matrix  form.  A  pulse  detection  algorithm  is  used  with  adjustable 
characteristics  (desired  detection  threshold,  minimum/maximum  length,  number  of 
bursts,  smoothing  factor)  to  extract  and  sort  each  burst  and  placed  into  a  matrix. 
These  adjustable  characteristics  are  used  since  not  all  bursts  in  the  collection  fit  the 
criteria  (minimum/maximum  length).  The  algorithm  Erst  smooths  (averages)  over  a 
given  number  of  samples,  specihed  as  the  smoothing  factor.  It  then  detects  a  burst  at 
the  desired  detection  threshold  value  {to  =  -3  dB)  and  locates  this  point  at  both  ends 
of  the  burst.  Finally,  it  checks  to  see  if  the  burst  is  wider  than  the  minimum  value 
but  narrower  than  the  maximum  value.  This  process  produces  a  matrix  where  all 
undesirable  bursts  have  been  removed,  leaving  bursts  meeting  the  criteria  for  further 
post-processing.  Figure  3.3  illustrates  the  process  over  a  small  region  of  the  original 
802. IIB  collected  data. 
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Figure  3.3.  Representation  of  the  burst  extraction  process,  where  a  burst  having  insuf¬ 
ficient  width  is  rejected  and  bursts  meeting  pulse  width  criteria  are  placed  in  a  matrix 
for  post  collection  processing. 


3.3.2  Preamble  Region  Extraction  and  Filtering. 

According  to  802. IIA  signal  specifications,  the  preamble  region  contains  informa¬ 
tion  at  the  beginning  of  each  burst  to  aid  in  diversity  selection,  timing/frequency 
acquisition,  and  channel  estimation  [4],  Figure  3.4  shows  the  preamble  region  of  the 
802. IIA  signal. 
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Figure  3.4.  Representation  802. IIA  signal  with  preamble  region  highlighted  (left)  with 
structure  (right). 

3.4  Statistical  Fingerprint  Generation 

Once  the  signal  preamble  region  is  filtered  and  extracted,  the  bursts  are  used 
to  calculate  statistical  RF  hngerprints  that  are  input  to  the  MDA/ML  classihcation 
process.  The  PSD  feature  is  hrst  calculated  and  normalized  according  to  (21).  The 
DC  component  and  redundant  half  of  the  data  are  removed.  Regional  variation 
analysis  is  then  used  to  determine  a  specihc  number  of  regions  (iV/j)  for  subdividing 
the  PSD  feature.  Consistent  with  previous  work,  the  statistics  of  interest  here  include 
variance,  skewness,  and  kurtosis.  These  features  are  calculated  over  each  PSD  region 
that  makes  up  a  hngerprint  matrix  which  is  input  to  the  MDA/ML  classihcation 
process. 
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3.4.1  Power  Spectral  Density  (PSD)  Calculation. 

The  PSD  is  obtained  through  the  discrete  Fourier  transform  (DFT)  of  a  complex 
sequence  {x(n)}, 


X{k)  =  —  ^x{n)exp 


n=l 


(19) 


where  n  =  1,2,  [10].  To  reduce  potential  amplitude  bias  from  the  collection 

process,  the  normalized  PSD  is  calculated.  First,  the  total  average  power  is  calculated 
using 

Xp  =  j;^^x{k)x*{k),  (20) 

*  k=l 

where  *  denotes  complex  conjugate  and  is  the  total  number  of  samples.  The 
expression  in  (20)  along  with  the  PSD  expression  in  (19)  is  used  to  form  the  normalized 
PSD  given  by 


Mk)  =  ^\X(k)\^  =  ^{Re‘  |X(^]  +  W  lX{k)]}.  (21) 

Jvp  yvp 

The  DC  component  {k  =  0)  is  removed,  and  the  redundant  half  discarded  {k  = 
1,  2, ...,  ^)  to  form  statistical  fingerprints.  Figure  3.5  shows  the  calculated  normalized 
PSD  (Figure  3.5(a))  for  an  802. IIA  signal  from  Figure  3.2  using  (21)  along  with  the 
portion  (Figure  3.5(b))  used  for  fingerprint  generation  (DC  component  and  redundant 
half  removed,  highlighted  in  Figure  3.5(a)). 
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Frequency  (Hz) 

(a)  PSD  of  preamble  region 


(b)  Redundant  half  of  PSD  (a)  removed 

Figure  3.5.  Representative  PSD  responses  (a)  and  portion  (highlighted)  used  for  fin¬ 
gerprint  generation  with  redundant  half  removed  (b). 
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3.4.2  Region  Selection  and  Feature  Calculation. 


Region  selection  is  based  on  analyzing  the  output  of  the  classihcation  process 
with  the  collected  SNR  =  40  dB  and  varied  from  3  to  21.  Figure  3.7  shows 
classihcation  performance  for  Nji  variation  at  40  dB.  These  results  indicate  that  Ah? 
=  13  is  optimal  and  thus  Nr  =  13  was  used  for  all  802. IIA  results  presented  in  Chapter 
4.  The  selected  value  Nr  =  13  is  used  to  subdivide  (Figure  3.7)  the  preamble  PSD 


Figure  3.6.  Classification  performance  versus  number  of  regions  (Nr)  for  SNR  =  40 
dB  with  Nr  —  13  selected  and  used  for  all  802. IIA  results. 

into  12  subregions  which  are  then  used  to  calculate  the  statistics  for  each  region.  The 
statistics  for  the  entire  preamble  PSD  are  also  calculated  and  appended  at  the  end 
of  the  matrix  to  form  an  Nr  =  13  regions  with  12  subregions.  For  consistency  with 
previous  research  on  802. IIA  data  [5,  6,  7],  the  statistics  of  variance  (cr^),  skewness 
(7),  and  kurtosis  {k)  are  calculated  over  each  region  to  form  the  statistical  hngerprint 
as  illustrated  in  (22).  This  process  is  repeated  for  each  burst,  then  placed  into  a 
hngerprint  matrix  that  is  input  into  the  classihcation  process.  Using  the  expression 
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in  (22)  with  =  13  regions,  the  hngerprint  matrix 


^Ri  -  li  ^i]i=l...NR  ^  [^RlFR2■■■FR^]  (22) 

that  is  input  to  the  Fisher  Training  Process  represents  39-dimensional  data  (1  PSD 
Feature  x  13  Regions  x  3  Statistics). 


Figure  3.7.  Subdivision  of  PSD  in  Figure  3.5  into  Nji  —  13  total  regions  for  feature 
calculation. 


3.5  Signal  Classification 

The  39-dimensional  hngerprint  data  obtained  from  Section  3.4.2  is  input  to  the 
MDA/ML  training  and  classihcation  process.  The  input  data  is  calculated  for  three 
different  classes,  where  each  class  represents  bursts  from  a  specihc  802.11  device. 
Following  the  training  process,  signal  classihcation  is  implemented  as  described  in 
Section  3.3.  Monte  Carlo  simulation  (noise  generation,  scaling  and  addition)  and 
K-fold  cross  validation  are  used  in  the  MDA/ML  signal  classihcation  process.  Monte 
Carlo  simulation  ensures  statistical  signihcance  of  data  by  running  the  event  multiple 
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times,  while  K-fold  cross  validation  randomly  partitions  the  original  data  into  K 
blocks  with  K-1  blocks  used  for  MDA/ML  training  and  the  remaining  block  used 
for  ML  classification.  The  overall  process  for  MDA/ML  training  and  classification  is 
shown  in  Figure  3.8  [18]. 


Figure  3.8.  MDA/ML  classification  process  with  K-fold  cross  validation  [18]. 
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IV.  Results  and  Analysis 


4.1  Overview 

This  chapter  provides  results  and  analysis  of  classihcation  performance  for  802.11A/B 
signals  based  on  processes  outlined  in  Chapter  3.  This  research  follows  previous  work 
[5,  6,  7,  11,  12,  17,  16,  15]  for  OFDM  802. IIA  signals  using  a  PSD-based  transfor¬ 
mation.  The  process  for  802. IIA  signals  is  repeated  for  DSSS  802. IIB  signals  to  see 
how  well  other  signals  can  be  identihed  and  classihed.  This  chapter  includes  a  section 
for  802. IIA  SD  performance  results  and  comparison  with  WD  and  TD  taken  from 
[5,  6,  7],  a  section  for  802. IIB  SD  performance  results  including  the  Prop  method 
discussed  in  [1],  and  finally  a  section  for  comparing  802. IIA  results  with  those  of 
802. IIB. 

4.2  SD  Performance:  802. IIA  signals 

Intra-manufacturer  discrimination  follows  previous  research  [5,  6,  7]  using  four 
Cisco  devices  transmitting  802. IIA  signals,  where  the  permutations  are  shown  in  Ta¬ 
ble  4.1.  These  are  like-mode  devices  from  the  same  manufacturer  (Cisco)  and  only 
differ  in  serial  number.  It  is  assumed  that  they  have  been  manufactured  under  iden¬ 
tical  environmental  conditions,  from  identical  lots,  using  identical  components,  with 
identical  processes.  Intra-manufacturer  classihcation  is  generally  the  most  difficult  (as 
compared  with  inter-manufacturer)  due  to  the  devices  having  similar  physical  prop¬ 
erties,  varying  slightly  due  to  the  make  of  the  device  (serial  number  discrimination). 
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Table  4.1.  802. 11 A  Cisco  intra- manufacturer  permutations  [5,  6,  7]. 


Serial  Number 

Perm 

N4U9 

N4UD 

N4UW 

N4PX 

1 

X 

X 

X 

2 

X 

X 

X 

3 

X 

X 

X 

4 

X 

X 

X 

According  to  results  in  [5,  6,  7],  Permutation  presented  the  “most  stressing” 
condition  for  classification  and  yielded  poorest  performance  for  all  SNR  =  -3  to  40  dB. 
Figure  4.1  results  are  taken  directly  from  [5,  6,  7]  and  illustrate  intra-manufacturer 
classification  accuracy  for  all  four  permutations  in  Table  4.1  using  previous  TD  and 
WD  fingerprinting  techniques.  As  shown,  Perm  ^1  reflects  the  poorest  performance 
for  both  techniques.  Considering  permutation  averages,  WD  provides  approximately 
6  dB  of  “gain”  at  80%  classihcation  accuracy. 


Classification  SNR  (dB) 


Figure  4.1.  lutra-Mauufacturer  MDA/ML  Classificatiou  usiug  TD  aud  WD  fiuger- 
priuts:  All  Permutatious  for  Cisco  devices  trausmittiug  802. IIA  siguals.  Figure  aud 
results  takeu  directly  from  [5,  6,  7]. 
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Figure  4.2  shows  new  SD  classification  results  for  all  four  Cisco  permutations  in 
Table  4.1.  The  mean  across  all  permutations  is  shown  with  filled  markers.  These 
results  demonstrate  that  Permutation  and  Permutation  ^^3,  both  of  which  con¬ 
tain  serial  numbers  N4UD  and  N4UW,  present  the  most  stressing  cases  of  the  four 
permutations.  As  with  previous  TD  and  WD  results  in  [5,  6,  7],  Perm  7^1  is  again 
the  “most  stressing”  case  for  most  SNRs  considered. 


Figure  4.2.  Intra- Manufacturer  MDA/ML  Classification  using  SD  fingereprints:  All 
Permutations  for  Cisco  devices  transmitting  802. IIA  signals. 


Table  4.2  provides  classification  confusion  matrices  for  Perm  7^1  of  the  Cisco 
devices  for  signals  at  SNR  =  14  dB.  Results  for  TD  and  WD  are  taken  directly 
from  [5,  6,  7]  and  provided  for  comparison.  Classification  accuracies  for  a  specific 
class  (device)  are  presented  along  the  diagonal.  The  lower  two  matrices  demonstrate 
performance  differences  between  SD  and  TD/WD,  respectively.  SD  provides  improved 
performance  over  TD  across  all  three  devices,  with  greatest  improvement  of  28.5% 


achieved  for  correctly  classifying  Class  A.  SD  provides  some  improvement  over  WD 
for  correctly  classifying  Class  A  (8.4%)  and  Class  C  (0.8%),  and  some  degradation  in 
classifying  Class  B. 
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Table  4.2.  Intra-manufacturer  confusion  matrices  for  SD,  TD  and  WD  fingerprinting: 
Permutation  #1  from  Table  4.1  with  802. IIA  signals  at  SNR  =  14  dB.  (TD  and  WD 
results  from  [5,  6,  7]). 


SD 

Class  Estimate 

Input  Class 

A 

B 

C 

A 

77.9% 

5.2% 

16.9% 

B 

6.0% 

93.9% 

0.1% 

C 

21.7% 

0.3% 

78.0% 

TD 

Class  Estimate 

Input  Class 

A 

B 

C 

A 

49.4% 

17.3% 

33.3% 

B 

18.5% 

65.9% 

15.6% 

C 

34.2% 

12.1% 

53.6% 

WD 

Class  Estimate 

Input  Class 

A 

B 

C 

A 

69.5% 

5.9% 

24.5% 

B 

5.3% 

94.0% 

0.7% 

C 

21.5% 

1.3% 

77.2% 

SD  -  TD 

Class  Estimate 

Input  Class 

A 

B 

C 

A 

28.5% 

-12.1% 

-16.4% 

B 

-12.5% 

28.0% 

-15.5% 

C 

-12.5% 

-11.8% 

24.4% 

SD  -  WD 

Class  Estimate 

Input  Class 

A 

B 

c 

A 

8.4% 

-0.7% 

-7.6% 

B 

-0.7% 

-0.1% 

-0.6% 

C 

0.2% 

-1.0% 

0.8% 
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Figure  4.3  shows  average  classification  results  across  all  four  permutations  for  the 
three  fingerprint  generation  methods  WD,  TD  and  SD,  as  taken  from  Figure  4.1  and 
Figure  4.2.  At  80%  classification  accuracy,  SD  outperforms  TD  and  provides  a  gain 
of  approximately  8  dB.  While  the  SD  performance  is  generally  consistent  with  WD 
performance,  there  is  some  statistical  improvement  (l%-3%)  for  SNR  =  -3  to  25  dB. 


Figure  4.3.  Intra- Manufacturer  MDA/ML  Classification:  Average  performance  across 
all  four  permutations  of  four  Cisco  devices  transmitting  802. IIA  signals.  TD  and  WD 
results  from  4.1  and  SD  results  from  4.2. 


In  operational  situations  where  equipment  may  not  be  co-located,  or  operates  in 
dissimilar  environments  (such  as  laboratory  equipment)  or  when  aligned  at  the  3db 
point  of  the  collected  signal,  the  collected  signals  and  burst  start  location  can  be 
affected.  This  effect  is  referred  to  here  as  timing  “jitter”.  When  the  collected  signals 
are  aligned  “perfectly” ,  or  at  the  approximate  identical  sample  number,  the  effect  is 
referred  to  as  “perfect” .  The  “jitter”  effect  on  classification  performance  is  illustrated 
in  Figure  4.4,  where  the  signals  were  detected  using  a  tn  =  -3  dB  threshold. 

The  “jitter”  effect  can  be  seen  in  Figure  4.5,  which  overlays  the  “perfect”  align- 


31 


Figure  4.4.  Intra-Manufacturer  MDA/ML  Classification:  “Jittered”  Classification  Per¬ 
formance  using  all  Permutations  for  Cisco  devices  transmitting  802. IIA  signals. 


ment  with  that  of  the  “jittered”  collections.  As  can  be  seen,  the  effect  at  higher 
SNR  valnes  is  more  snsceptibility  to  jitter  than  the  lower  SNR  valnes,  where  the  “jit¬ 
tered”  resnlts  show  minimal  degradation.  Intra-mannfactnrer  classification  resnlts  for 
all  three  fingerprinting  methods  (TD,  WD,  and  SD)  for  observed  bnrst  location  error 
“jitter”  using  Perm  ^2  from  Table  4.1  are  shown  in  Figure  4.6,  where  performance  for 
TD  and  WD  were  taken  directly  from  [5,  6,  7].  Results  in  Figure  4.6  also  demonstrate 
SD  performance  improvement  over  TD  and  further  show  that  SD  is  less  susceptible 
to  ’’jitter”.  The  results  reflect  that  the  TD  technique  is  susceptible  to  phase  shift 
while  the  WD  and  SD  are  not. 
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Figure  4.5.  Average  MDA/ML  Classification  accuracy  for  802. 11 A  intra- manufacturer 
discrimination  using  average  “perfect”  results  from  Figure  4.2and  average  “jittered” 
results  from  Figure  4.4. 
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Figure  4.6.  Average  MDA/ML  Classification:  Comparison  of  “perfect”  and  “jittered” 
802. IIA  intra-manufacturer  discrimination  using  observed  burst  location  error  statis¬ 
tics.  TD  and  WD  results  taken  directly  from  [5,  6,  7]. 
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4.3  SD  Performance:  802. IIB  signals 


This  section  is  divided  into  two  snbsections  and  presents  results  on  intra/inter- 
manufacturer  performance  using  devices  transmitting  802.1  IB  signals.  Intra-manufacturer 
discrimination  follows  Section  4.2  with  devices  transmitting  802. IIB  signals  for  all 
permutations  and  worst  case  Perm  shown  in  Table  4.1.  To  investigate  and  com¬ 
pare  intra-manufacturer  performance  between  manufacturer,  three  devices  from  each 
Linksys  and  Netgear  were  used  as  well  as  the  three  Cisco  devices  to  see  how  well 
serial  number  discrimination  can  be  performed  using  the  SD  hngerprint  method.  Ta¬ 
ble  4.3  shows  all  devices  (used  for  802.1  IB  inter- manufacturer  discrimination  where 
the  permutations  are  shown  with  the  “x”s  in  the  table). 


Table  4.3.  802. IIB  inter-manufacturer  permutations. 


Serial  Number 

Manufacturer 

Cisco 

Linksys 

Netgear 

Perm 

N4U9 

N4UD 

N4UW 

306 

307 

361 

209 

217 

273 

1 

X 

X 

X 

2 

X 

X 

X 

3 

X 

X 

X 

4.3.1  802. IIB  Intra-Manufacturer  Performance. 

Intra- manufacturer  discrimination  was  performed  using  devices  transmitting  802.1  IB 
signals  for  all  four  Cisco  devices  shown  in  Table  4.1  as  well  as  all  three  Netgear  and  all 
three  Linksys  devices  shown  in  Table  4.3.  Figure  4.7  shows  classihcation  performance 
for  all  permutations,  where  the  mean  is  shown  with  hlled  markers. 
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Figure  4.7.  Intra- Manufacturer  MDA/ML  Classification  using  SD  fingerprints:  All 
Permutations  for  Cisco  devices  transmitting  802.1  IB  signals. 


Figure  4.8  shows  classification  performance  using  Cisco  Perm  as  well  as  all 
three  devices  for  Linksys  and  Netgear  shown  in  Table  4.3.  As  can  be  seen,  the 
Cisco  and  Linksys  devices  are  consistent,  while  the  Netgear  has  a  slight  increase  in 
performance.  Since  this  is  intra-manufacturer  discrimination,  the  results  indicate  that 
the  Netgear  performance  is  actually  poorer  compared  to  the  Cisco  and  Linksys  results, 
because  similar  devices  should  be  confused  more  with  each  other  and  performance 
degraded. 
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Figure  4.8.  Intra- Manufacturer  MDA/ML  Classification  using  SD  fingerprints:  Three 
devices  per  manufacturer  with  serial  numbers  listed  in  Table  4.3  with  devices  trans¬ 
mitting  802. IIB  signals. 


4.3.2  802. IIB  Inter-Manufacturer  Performance. 

Inter-manufacturer  discrimination  was  performed  using  permutations  in  Table  4.3. 
Results  for  three  permutation  are  illustrated  in  Figure  4.9.  Perm  ^2  and  Perm  ^^3 
demonstrate  consistent  results.  At  80%  classification  accuracy,  Perm  provides  a 
gain  of  approximately  3  dB  over  Perms  ^2  and  Perm  ^3. 
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Figure  4.9.  Inter-Manufacturer  MDA/ML  Classification  using  SD  fingerprints:  Per¬ 
mutations  from  Table  4.3  with  devices  transmitting  802. IIB  signals. 

4.3.3  802. IIB  Prop  Method  Performance. 

Work  in  [1]  for  DSSS-based  802.15.4  CC2420  devices  used  a  Prop  method  (dif¬ 
ference  in  adjacent  FFT  spectra)  that  provided  the  highest  recognition  accuracy  of 
99.5%.  Figure  4.10  illustrates  Perm  (top)  and  Perm  (bottom)  of  the  inter¬ 
manufacturer  permutations  overlayed  with  their  respective  Diff  method  results.  As 
can  be  seen,  performance  is  consistent  with  the  standard  SD  method.  The  results 
for  Perm  (Figure  4.10  bottom)  indicate  that  the  Prop  method  achieves  slight 
improvement  from  SNR  =  4  to  15  dB,  while  the  Prop  method  performance  is  poorer 
(approximately  2-3  dB)  using  the  devices  for  Perm  ^3  (Figure  4.10  bottom). 
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Figure  4.10.  Inter- Manufacturer  MDA/ML  Classification  using  SD  fingerprints:  SD 
comparison  with  Prop  using  Perms  #2  (top)  and  Perm  #3  (bottom)  from  Table  4.3 
with  devices  transmitting  802. IIB  signals. 
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4.4  SD  Performance  Comparison:  802.11A/B  signals 


Figure  4.11  shows  a  comparison  of  the  SD  technique  performance  for  the  worst 
case  Perm  of  802. IIA  compared  with  Perm  ^1  of  802. IIB,  where  the  devices 
in  each  permutation  contain  identical  serial  numbers  (Table  4.3  and  Table  4.1).  As 
can  be  seen,  the  SD  method  applied  to  802. IIB  signals  provides  an  improved  gain  of 
approximately  3  dB  (although  802. IIB  preamble  lacks  the  structure  of  the  802. IIA 
signals),  and  there  are  clearly  discriminating  characteristics  in  this  region  to  provide 
these  classihcation  results. 


Figure  4.11.  Intra- Manufacturer  MDA/ML  Classification  using  SD  fingerprints:  SD 
performance  comparison  of  802. IIA  with  802. IIB  signals  for  worst  case  Perm  #1. 


Figure  4.12  shows  mean  results  taken  from  Figure  4.4  and  Figure  4.7.  These 
results  demonstrate  overall  improved  performance  among  802.1  IB  signals  at  SNR  = 
30  to  -3  dB,  and  approximately  3  dB  gain  at  80%  classification  accuracy. 
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Figure  4.12.  Intra- Manufacturer  MDA/ML  Classification  using  SD  fingerprints:  SD 
performance  comparison  of  802. IIA  with  802. IIB  signals  for  permutation  means  taken 
from  Figure  4.4  and  Figure  4.7. 

Table  4.4  provides  classification  confusion  matrices  for  Perm  (Table  4.1)  of 
the  Cisco  devices  for  signals  at  SNR  =  14  dB,  where  the  results  for  802. IIA  were 
taken  from  Table  4.2.  Classification  accuracies  for  a  specific  class  (device)  are  pre¬ 
sented  along  the  diagonal,  where  802. IIB  achieves  an  88.3%  classification  accuracy 
and  802. IIA  achieves  83.3%  (Figure  4.11).  The  lower  matrix  demonstrate  perfor¬ 
mance  differences  between  802. IIB  and  802. IIA.  As  can  be  seen,  802. IIB  provides 
improved  performance  over  802. IIA  across  devices  A  and  C,  with  the  greatest  im¬ 
provement  of  17.6%  achieved  for  correctly  classifying  Class  A.  The  lower  matrix  also 
demonstrates  some  degradation  in  classifying  Class  B  for  802. IIB  vs  802. IIA. 
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Table  4.4.  Intra-manufacturer  confusion  matrices  for  802. IIA,  and  802. IIB  fingerprint¬ 
ing:  Permutation  #1  from  Table  4.1  with  signals  at  SNR  =  14  dB. 


802.11A 

Class  Estimate 

Input  Class 

A 

B 

C 

A 

77.9% 

5.2% 

16.9% 

B 

6.0% 

93.9% 

0.1% 

C 

21.7% 

0.3% 

78.0% 

802.11B 

Class  Estimate 

Input  Class 

A 

B 

C 

A 

95.5% 

0.8% 

3.7% 

B 

1.2% 

88.9% 

9.9% 

C 

2.9% 

16.7% 

80.4% 

B  -  A 

Class  Estimate 

Input  Class 

A 

B 

C 

A 

17.6% 

-4.4% 

-13.2% 

B 

-4.8% 

-5.0% 

-9.8% 

C 

-18.2% 

13.8% 

2.4% 

The  uniqueness  of  fingerprint  statistical  features  is  illustrated  in  Figure  4.13. 
These  RF  DNA  plots  were  generated  by  randomly  selecting  200  collected  bursts  for 
each  device,  scaling  them  to  achieve  SNR  =  14  dB,  and  averaging  the  corresponding 
statistical  hngerprints.  The  number  of  DNA  markers  per  segment  is  identical  for  both 
802. IIA  and  802. IIB.  The  y-axis  labels  correspond  to  the  statistical  measures  defined 
in  Section  2.5.  The  RF  fingerprints  (Figure  4.13)  are  from  one  manufacturer  (Cisco) 
where  the  serial  numbers  are  identihed  on  the  x-axis.  Previous  results  in  this  chapter 
showed  that  greater  uniqueness  translates  to  better  overall  classihcation  performance. 
When  comparing  Table  4.4  with  Figure  4.13  for  802. IIA,  it  can  be  seen  that  Class  A 
and  C  are  most  confused. 
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Cisco  N4U9  Cisco  N4UD  Cisco  N4UW 


Figure  4.13.  Intra-manufacturer  RF  fingerprint  DNA  plots  showing  worst  case  Perm 
#1  of  (a)  802. IIA  and  (b)  802. IIB  fingerprints  based  on  200  randomly  selected  bursts 
at  SNR  =  14  dB. 
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V.  Conclusions  and  Future  Work 


5.1  Conclusions 

The  increase  in  availability  and  reduction  in  cost  of  commercial  communication 
devices  (IEEE  compliant  such  as  802.11,  802.15  Bluetooth,  802.16,  WiMax,  etc)  has 
increased  wireless  user  exposure  and  the  need  for  techniques  to  properly  identify  sig¬ 
nals  for  increased  security.  Fundamental  emissions  from  a  device  enable  it  to  correctly 
operate  and  may  provide  unique  hngerprints  through  unintentional  modulation  due 
to  alterations  caused  by  hardware  and  environmental  factors.  These  unique  hnger¬ 
prints  (features)  enable  the  identihcation  of  the  device  manufacturer  down  to  specihc 
serial  number.  This  research  follows  previous  work  [5,  6,  7,  11,  12,  15,  16,  17]  and 
introduces  unique  Spectral  Domain  (SD)  hngerprinting  for  classifying  802.11  wireless 
devices.  This  research  focuses  on  proof-of-concept,  versus  optimization  of  parameters. 
The  following  provides  a  summary  of  results  presented  in  Chapter  IV. 

5.1.1  802. IIA  Classification  Performance. 

Relative  to  other  research  [5,  6,  7],  SD  RE  DNA  hngerprint  classihcation  perfor¬ 
mance  is  consistent  with  the  WD  approach  while  demonstrating  improved  classihca¬ 
tion  accuracy  over  the  TD  approach  for  802. IIA  signals.  In  most  cases,  classihcation 
accuracy  is  greater  than  80%  at  SNR  >  5  dB.  At  80%  classihcation  accuracy,  SD 
provides  a  gain  of  approximately  8  dB  over  the  TD  technique  and  some  improvement 
(l%-3%)  over  the  WD  technique  for  SNR  =  -3  to  25  dB  (lower  SNRs  are  more  con¬ 
sistent  with  operational  environments).  Using  a  spectral  diherencing  Prop  method 
discussed  in  [1],  some  improvement  in  performance  is  observed  for  specihc  cases,  but 
generally  fails  to  improve  overall  classihcation  performance  for  the  majority  of  per¬ 
mutations  completed. 
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5.1.2  802. IIB  Classification  Performance. 


All  parameters  used  to  process  802.1  IB  signals  are  taken  directly  from  those  used 
for  802. IIA  processing.  The  resulting  performance  of  SD  hngerprinting  with  802. IIB 
signals,  using  the  worst  case  intra-manufacturer  permutation,  provides  a  signihcant 
improvement  from  that  of  802. IIA.  An  improved  802. IIB  gain  of  approximately  3  dB 
is  demonstrated  over  802. IIA  classihcation,  which  shows  that  the  SD  hngerprinting 
techniqne  is  a  viable  classihcation  method,  providing  improved  overall  classihcation 
performance. 

5.2  Recommendations  for  Further  Research 

This  section  provides  recommendations  for  further  research  on  SD  RF  DNA  hn¬ 
gerprinting.  Comparing  resnlts  from  previous  research  using  802. IIA  signals,  SD 
hngerprinting  provides  performance  consistent  with  the  WD  approach  in  [5]  while 
providing  less  compntational  challenges.  The  following  provides  recommendation  for 
further  research  with  the  SD  approach: 

1.  Bandwidth  Sensitivity  Analysis:  A  post-collection  hlter  bandwidth  of  BW 
=  7.7  MHz  was  used  in  this  research  and  was  chosen  to  be  consistent  with 
pervious  work  in  [5,  6,  7].  Since  the  SD  method  has  proven  merit,  there  may 
be  another  bandwidth  which  provides  more  beneht  and  consistency. 

2.  Specific  Waveform  Characteristics:  This  research  focuses  on  using  stan¬ 
dard  PSD  features  for  SD  hngerprints,  while  previous  research  used  instan¬ 
taneous  amplitude,  instantaneous  phase,  and  instantaneons  freqnency  for  TD 
hngerprints  [5,  6,  7,  11,  12,  15,  16,  17].  Other  waveform  characteristics  may 
improve  accuracy  and  make  the  SD  method  more  robnst.  Previons  work  [11,  15] 
also  used  standard  deviation  along  with  variance,  skewness,  and  knrtosis.  The 
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later  three  statistics  were  chosen  here  for  consistency  with  [5,  6,  7]  and  were  not 
chosen  with  any  optimality  criteria.  There  may  be  combinations  of  statistics 
and  statistics  used  over  specihc  subregions  that  provide  greater  device/class 
separability  and  improved  classihcation  accuracy.  The  number  of  regions  {Nji 
=  13)  was  chosen  based  on  analysis  at  the  collected  SNR  =  40  dB.  Different 
Nji  may  be  better  for  other  SNR  values. 

3.  Process  and  Parameter  Optimization:  The  process  used  for  this  research 
was  adopted  from  [5,  6,  7,  11,  12,  15,  16,  17]  while  not  focusing  on  a  single 
parameter  in  the  process.  From  burst  detection  and  processing  to  signal  clas¬ 
sihcation,  many  parameters  were  chosen  based  on  prior  work  [5,  6,  7]  without 
focusing  on  any  given  factor,  parameter,  or  combinations  thereof.  Analysis  of 
specihc  parameters  and  combinations  thereof  may  be  benehcial. 

4.  Different  Signals  of  Interest:  802. IIA  OFDM-based  and  802. IIB  DSSS- 
based  signals  were  used  here  based  on  work  in  [1,  5,  15].  Diherent  OFDM 
or  DSSS  signals  that  are  emerging  for  next  generation  applications  may  be 
discriminable  with  SD  hngerprinting  as  well.  Additional  work  could  be  done 
using  SD  RF  hngerprinting  with  these  emerging  signals  and  their  appropriate 
applications. 
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Appendix  A.  Detailed  Signal  Collection  Procedures 


The  original  collection  procedures  presented  in  Appendix  A  of  [15,  11]  are  pre¬ 
sented  in  this  work  for  completeness.  These  collection  procedures  provide  a  detailed 
process  for  identifying  a  signal  of  interest,  collecting  its  transient  signal  features, 
and  converting  it  to  MATLAB®using  the  Agilent  E3238S  RFSICS  and  Vector  Signal 
Analyzer.  The  directions  below  reference  screen-shots  from  the  E3238S  software  for 
completeness. 

1.  Power  on  the  Agilent  E3238S  RFSICS. 

2.  Open  E3238S  application  (Figure  A.l). 

3.  Power  on  the  device  under  test  and  configure  it  as  necessary. 

4.  Activate  device  transmitter  and  locate  its  peak  in  the  wide-band  search  window 
(Figure  A. 2). 

5.  Zoom  in  on  the  signal  of  interest  (right-click  and  drag  to  zoom  in  spectrum 
display) . 

6.  Right-click  in  the  left  border  and  select  “Tune  to  Trace”  (Figure  A. 3). 

7.  Right-click  in  the  left  border  again.  Select  “Marker”  and  Move  Radio  Button 
to  “On”  (Figure  A. 4). 

8.  Move  the  marker  to  the  current  peak  of  the  spectrum  display  using  the  icon  in 
the  bottom  right  of  the  window  (Figure  A. 5).  The  marker  dictates  the  collection 
center. 

9.  Right-click  in  the  left  border  again.  Select  “Marker  to...”  and  Select  “Center 
Freq”  (Figure  A. 6). 
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10.  Now,  set  the  dynamic  range  of  the  ADC  by  going  to  “Confignre”,  “Search 
Receivers”,  “ADC”,  “Inpnt  Range”  and  setting  it  to  the  lowest  valne  (Fignre 
A.7). 

11.  Activate  the  transmitter  and  check  for  ADC  overload,  if  the  block  in  the  npper 
left  corner  is  red,  increase  “Inpnt  Range”  valne  one  step  at  a  time  nntil  the 
block  remains  solid  bine  (Fignre  A. 8). 

12.  Right-click  on  grayed  ont  camera  in  bottom  right  corner  of  the  main  window  to 
modify  the  “Snapshot”  settings. 

13.  Change  “Statns”  to  “Active”,  “Span”  to  the  desired  bandwidth,  “Dnration”  to 
the  desired  dnration  of  the  collection,  “Filename”  to  the  desired,  descriptive 
filename,  click  “OK”  (Fignre  A. 9). 

14.  Deactivate  the  transmitter  (if  necessary). 

15.  Click  on  the  now  Yellow  Camera  in  bottom  right  to  begin  collection. 

16.  While  collection  is  proceeding,  activate  the  transmitter  to  collect  transient  signal 
data  (Fignre  A. 10). 

The  collection  is  then  stored  as  a  “Captnre”  file  with  the  extension  “*.cap”. 
This  file  mnst  now  be  converted  to  a  “*.mat”  file  for  post-collection  processing  in 
MATLAB®.  The  Vector  Signal  Analyzer  software  can  be  nsed  to  do  this  conversion. 

1.  Open  the  Vector  Signal  Analyzer  application. 

2.  Select  “File”,  “Recall  Recording”  and  choose  the  desired  “Captnre”  file. 

3.  Next,  select  “File”,  “Save  Recording”  and  save  as  “*.mat”. 
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The  “*.mat”  file  contains  twelve  parameters.  FreqValidMax  and  FreqValidMin 
are  the  highest  and  lowest  frequencies  of  the  collection.  InputCenter  is  the  center 
frequency  of  the  collection.  XDelta  is  the  time  change  between  each  sample.  Inpu- 
tReflmped  is  the  input  impedance.  XUnit  and  YUnit  are  the  units  of  measure  for 
the  X-  and  y-axes  of  the  collection,  which  are  seconds  and  volts,  respectively.  Y  is 
complex  signal  data  of  type  “single.”  InputRange,  InputZoom,  XDomain  and  XStart 
are  additional  unused  parameters. 
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Figure  A.l.  Initial  screen  of  RFSICS  collection 


Figure  A. 2.  Wide-band  spectral  response  of  the  signal  of  interest. 
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Figure  A. 3.  Choose  “Tune  to  Trace”  as  described  in  Step  6.  Narrow-band  view  of  the 
Frequency  Content  of  the  Signal  of  Interest. 


Figure  A. 4.  Turn  the  “Marker”  on  as  described  in  Step  7. 
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Figure  A. 5.  Set  the  marker  to  the  peak  of  the  display  as  described  in  Step  8. 


Figure  A. 6.  Force  the  current  frequency  of  the  marker  to  the  center  of  the  display  as 
described  in  Step  9. 
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Figure  A. 7.  Set  the  dynamic  range  of  the  ADC  as  described  in  Step  10. 


File  Edit  Configure  S^earch  Wsplay  M^acros  Utilities  Arrows  H^elp 


\m^  a  z 


j  > 


g|  -32.72  • 
dBm 
9.9  dB/div 


-131.82 

4-  * 


46^535  MHZ 
RBW;  0.7  kHz 


jt  j;  SO  460.1277  MHz 


Figure  A. 8.  Continue  setting  the  dynamic  range  of  the  ADC  by  checking  for  overload 
as  described  in  Step  11. 
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Figure  A. 9.  Configuring  the  “Snapshot”  details  as  described  in  Step  13. 


Figure  A. 10.  Activate  the  transmitter  while  the  “Snapshot”  is  being  collected  as  de¬ 
scribed  in  Step  16. 
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